phpBB 3.2.3: Phar Deserialization to RCE

20 Nov 2018 by Simon Scannell
phpBB3 Phar Deserialization

A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board.

Read More ...

Pydio 8.2.1 Unauthenticated Remote Code Execution

13 Nov 2018 by Simon Scannell, Robin Peraglie
Pydio Object Injection to RCE

Pydio is a popular file sharing solution used by enterprises and governments around the world. It suffered from a highly critical vulnerability that allowed unauthenticated attackers to compromise the entire file sharing server and to execute arbitrary code on the remote machine. Find out more about the impact and technical details in our blog post.

Read More ...

WARNING: WordPress File Delete to Code Execution

26 Jun 2018 by Slavco Mihajloski, Karim El Ouerghemmi
WordPress Unlink to RCE

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.

Read More ...

Evil Teacher: Code Injection in Moodle

12 Jun 2018 by Robin Peraglie

Code Injection Exploit in Moodle

Moodle is a widely-used open-source e-Learning software with more than 127 million users allowing teachers and students to digitally manage course activities and exchange learning material, often deployed by large universities. In this post we will examine the technical intrinsics of a critical vulnerability in the previous Moodle release detected by RIPS Code Analysis. It is located in the Quiz component of Moodle and can be successfully exploited through the teacher role in order to perform remote code execution. If you are running Moodle < 3.5.0 we highly recommend to update your instances to the newest version immediately.

Read More ...

A Salesmans Code Execution: PrestaShop 1.7.2.4

7 May 2018 by Robin Peraglie

PrestaShop is an open-source e-commerce solution. With more than 270,000 running instances it is one of the top 10 most used content management systems in the Web1. Additionally to the classical software download, PrestaShop Ready offers to rent an online shop and to get administrative access to pre-hosted PrestaShop instances. From the perspective of attackers these e-commerce systems are very attractive targets because thousands of customers enter sensitive payment information.

Our leading security analysis solution RIPS detected a highly critical PHP object injection vulnerability in PrestaShop that allows to execute arbitrary code on any installation with version <= 1.7.2.4. In this technical blog post we present the vulnerability and the exploitation technique that could have allowed attackers to compromise PrestaShop servers. This posed a serious risk for the PrestaShop Ready cloud. A fix was released and administrators of outdated PrestaShop installations are highly encouraged to update.

Read More ...